session_start(); if($_SERVER['REQUEST_METHOD'] == 'POST') { if(isset($_POST['csrf_token']) && $_POST['csrf_token'] === $_SESSION['csrf_token']) { // Valid request, process it } else { // Invalid request, reject it } } else { // Output the CSRF token in a hidden input field in the form $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); echo ""; }In this example, we first start the session using the `session_start()` function. Then, we check if the request method is POST using `$_SERVER['REQUEST_METHOD']`. If it is, we check if the `csrf_token` sent in the POST request matches the one stored in the session using `$_POST['csrf_token']` and `$_SESSION['csrf_token']`. If they match, we process the request, otherwise, we reject it. If the request method is not POST, we generate a new CSRF token using `bin2hex(random_bytes(32))`, store it in the session using `$_SESSION['csrf_token']`, and output it in a hidden input field in the form. This example code does not depend on any package or library, it only uses PHP's built-in session handling functions.